Building Virtual Home Lab for Pentesting

This is my personal documentation on setting up a basic pentesting lab in a virtual environment to learn some AD attack scenarios, network pivoting, and C2 (command & control) with metasploit.

Prerequisites#

Knowledge#

• Virtualization and VirtualBox
• Windows OS and Server Installation
• Basics knowledge of Windows/Windows Server (Desktop/GUI version)/
• Basics knowledge of Active Directory:
  • AD Domain
  • Principle name
  • DNS
• Basics knowledge of Networking (routing).

Hardware#

The following are the main specifications that I recommend, the list is sorted by priority.

• Storage: 256 GB minimum, SSD is a must for server, or use high speed USB 3.1/ type C drive.
• RAM: 8 GB of minimum, 16 GB recommended dual channel.
• CPU: AMD Ryzen 3 or Intel i3 6th (minimum), AMD Ryzen 5+ with H prefix or i5+ 6th gen with K/H prefix. (recommended).
  • 4th gen of i7 is still worth though.

For me, I used a single MSI laptop with the minimum requirements, except for the CPU.

Software#

• VirtualBox (Download)
• Kali Linux image file (Download)
• Windows 10 evaluation image file (Download)
• Windows Server 2019 evaluation image file (Download)

Topology#

I know my topology is bad.

Note: It’s NIC (Network Interface Card) not NC

For pivoting, I removed the Windows 10 inside network range of 10.10.10.100/28 from AD Domain.

Setup#

VM System Configuration#

System#

Initial for installation

• Server: 2424 MB of RAM
• Client: x2 1280 MB of RAM

After installation (removed style/desktop/disable junk service)

• Server: 1280 MB of RAM
• Client: 1024 MB of RAM
• Attacking machine: 1024MB of RAM

Trust me, I use 8 GB to host these VM. 😂

• Windows 2019 = Server
• Windows 10 = Client
• Kali Linux/Armed Ubuntu = Attacker

For initial setup, the two clients can stay inside 192.168.1.0/24 network.

Network#

Server Adapter 1:

Setting up Server#

Initial setup#

• Admin credentials: administrator:p@$$w0rd!
• PC Name: server19-DC (restart after)
• Network (Static):
  • Adapter 1: 192.168.1.100/24
  • Adapter 2: 10.10.10.100/28

Promote to Domain Controller#

• Server Manager > Manage > Add Roles and Features.
• Add Roles and Features Wizard:
  • Installation type: “Role-based or feature-based installation”
  • Server selection: server19-DC
  • Server roles: “Active Directory Domain Services” and check the “Include management tools”.
  • Features: Check the “Group Policy Management”
  • Confirmation: Check on “Restart destination server automatically if required”
  • Close after it’s done.
• Server Manager > Notification flag > Click on “Promote this server to a domain controller”
• Active Directory Domain Services Configuration Wizard:
  • Deployment configuration: “Add a new forest” and set “server19.local” as root domain name
  • Domain controller options: set “Windows Server 2016” as FFL (Forest Functional Level) and DFL (Domain Functional Level). Checklist DNS server and set the same admin password for DSRM password.
  • Additional options: set NetBIOS domain name to SERVER19
  • Let the rest options in default state until installation section.
  • Restart after installation complete.

Domain Accounts#

• John Smith
  • User logon name: jsmith@server19.local
  • Password: jsmith@123
• Carl Smith
  • User logon name: cmisth@server19.local
  • Password: @csmith@

All password is set to never expires.

Service Account#

Fake SQL Service

• User logon name: SQLService@server19.local
• Password: Mysql@Password123

Set service principle name:

setspn -a SERVER19-DC/SQLService.SERVER19.local:60111 SERVER19\SQLService
setspn -T SERVER19.local -Q */*

Configure File Sharing (SMB):#

• Server manager > File and Storage Services > Shares > Task > New Share.
• New Share Wizard:
  • Profile: SMB Share Quick
  • Share Location: C:\Shares\DATA (Create the Shares folder in C:)
  • Other Settings: Allow caching of share
  • Permission: Leave it default
  • Confirmation and create.

Setting up Client#

Initial setup#

• Client 1:
  • IP: 192.168.1.101 (static)
  • PC name: NESCOFFEE
• Client 2:
  • IP: 192.168.1.102 (static)
  • PC name: MILO

Local Accounts#

Same with domain accounts, but add an L at the end of username/password.

• Username: cmisthL, password: jsmithL@123
• Username: jsmithL, password: @csmith@

Join Domain#

Client 1:

• Use Server’s IP as DNS server: 192.168.1.100
• Hit Win+I, type “access”, click on Connect.
• Microsoft account window:
  • Click on “Join this device to a local Active Directory domain” under the alternate actions.
  • Use the server administrator password to join.
  • Skip the Add an account section
  • Restart

Client 2 has the same steps

Local Admin:#

• Set John Smith (jsmith@server19.local) as local administrator for NESCOFFEE.
• Set Carl Smith (cmisth@server19.local) as local administrator for MILO.

Setting up Attacking Machine#

• Put it on the same network
• Set static IP: 192.168.1.10

AD Attack Scenarios#

Here are some attack scenarios:

• LLMNR Poisoning - https://www.aptive.co.uk/blog/llmnr-nbt-ns-spoofing/
• AS-REP Roasting
  • Example attacks: ASREP-Roasting tags
• Kerberoasting - https://pentestlab.blog/2018/06/12/kerberoast/
• Take Over IPv6 DNS - https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/
• DCSync
  • Example attacks: DCSync tags

Attack scenario(s) that requires two clients online + server:

• SMB Relay - https://akimboviper.gitbook.io/pentest-everything/everything/everything-windows/attacking-windows/relay-attacks/smb-relay
  • Example attacks: HackTheBox - APT